If you thought that the promising (albeit modest) drop in the total dollars stolen by identity thieves in 2015 was a harbinger of things to come, think again.

According to the just released 2017 Identity Fraud Study from Javelin Research, the number of victims of this crime—in all its permutations—climbed to a record high of 15.4 million last year. And, despite the fact that the average amount per fraud went down, the total cost topped $16 billion, also an all-time high. What does that say about efforts to rein in identity thieves?

“We’ve gotten pretty good at closing the door once the horse has left the barn,” says Al Pascual, Javelin senior vice president and head of fraud and security. But we need work when it comes to “barring the door” to begin with.

The research, funded by LifeLock, also made clear that even if you don’t maintain a large online presence, taking steps to protect your identity is a smart move. Offline consumers are less likely to experience fraud, Pascual explains. But when it happens it’s worse, because it takes more time to detect. On the other hand, if you’re highly connected, your risk is much higher than average. But you’re also likely to detect—and shut down—attempts at fraud more quickly. How do you protect yourself? “If you’re not digitally inclined, sign-up for a credit protection service,” Pascual says. “If you are, don’t use the same passwords even across retailers.”

The study, now in its 14th consecutive year, highlights a number of specific places identity fraud and theft are on the rise or particularly troubling. Here’s a look at what they are and how to protect yourself:

Card Not Present Fraud

What you need to know: Incidences of this type of fraud, where a thief uses your card number without having the actual card, rose 40 percent last year. Pascual expects those gains to continue. “We’ve gone digital because it’s convenient,” he says. “So have criminals.”

How to guard against it: Take advantage if your credit card offers ways to obscure your payment details, advises Dr. Stephen Coggeshall, Chief Analytics and Science Officer of ID Analytics. Some credit card issuers and fraud protection services will send you alerts if a charge is made and your card is not present. Do that as well. And pay attention to your credit card statements, watching, in particular, for charges you don’t understand.

New Account Fraud

What you need to know: This form of fraud, where a thief steals enough of your identifying information to open an account in your name, is on the upswing. Incidents nearly doubled from 2014 to 2015, and this year showed “almost the same degree of growth,” Pascual said. Importantly, the new accounts being opened are not just at traditional lenders, but also at alternative ones, including payday lenders and peer-to-peer lenders. Those are tougher to track.

How to guard against it: Monitoring your credit, by either taking a very consistent look at your own reports or having a service do it for you, is the key here. One advantage of some services, notes Pascual, is that they look beyond the item on your credit reports to checking and savings accounts and alternative lenders. Also, it sounds run of the mill, but open every piece of mail you get from a financial institution—even those you don’t patronize. Often, you’ll receive notice when an account is opened in your name, giving you a chance to shut it down and alert the credit bureaus.

Account Takeover Fraud

What you need to know: This type of fraud is distinguished by the fact that a criminal is essentially trying to usurp control for a pre-existing account that you’ve set up. Signs that it might be happening include receiving change of password or change of address notices that aren’t prompted by your actions. “These cases result in the highest average loss amount, and sometimes a consumer can be stuck for more of the bill,” says Pascual, explaining that it can be difficult to prove that you didn’t take the actions involving your account, such as removing or spending funds.

How to guard against it: Don’t reuse passwords across sites—particularly across financial ones. Criminals will take the password list from one breach and try those passwords at every major bank across the country to see if they can be used. Tell your financial institutions you want multiple notifications—by both text and email—if actions are taken on your account. “The idea is to make it harder for communication to be severed between you and the institutions,” says Pascual. And if two-factor authentication is available for entry to any of your financial sites, use it.

Sophisticated Phishing

What you need to know: The phishers have gotten better at their game. “We’re used to seeing phishing with poor misspelling, bad grammar, and poor formatting,” says Coggeshall. Criminals have moved beyond that. Today, corporate emails are being spoofed and employees are being sent letters from the CEO or finance department that look legitimate. In some cases, hackers take the time to learn things about you specifically, then target you with a specially crafted phish.

How to guard against it: If someone contacts you that you’re not used to hearing from and asks for any sort of financial or identifying information, a bell should go off in your head. Don’t click on the email. Don’t give out information by phone or text. Instead, back away and—if you believe it might be real—initiate the communication yourself to figure out if the need is legitimate.